Bug 1887664 (CVE-2020-25649)

Summary: CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
Product: [Other] Security Response Reporter: Kunjan Rathod <krathod>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, brian.stansberry, btofel, btotty, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dblechte, dcoleman, decathorpe, dfediuck, dkreling, dosoudil, drieden, eedri, eleandro, eparis, eric.wittmann, etirelli, ganandan, ggaughan, ggrzybek, gmalinko, gsmet, hbraun, hhorak, hhudgeon, ibek, iweiss, janstey, java-maint, java-maint-sig, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jjoyce, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jross, jschatte, jschluet, jstastny, jwon, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lthon, lzap, mburns, mgoldboi, michal.skrivanek, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, nmoumoul, nstielau, nwallace, pantinor, pdrozd, pgallagh, pjindal, pmackay, ppalaga, probinso, puntogil, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rstancel, rsvoboda, rsynek, sbiarozk, sbonazzo, sclewis, scohen, sdaley, sd-operator-metering, sdouglas, sherold, slinaber, smaestri, snikolov, sokeeffe, sponnaga, sthorger, swoodman, tbrisker, tom.jenkinson, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jackson-databind-2.11.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-22 20:21:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1887779, 1888130, 1888374, 1888643, 1888647, 1888490, 1888491, 1888578, 1888644, 1888645, 1888646, 1889246    
Bug Blocks: 1881251    

Description Kunjan Rathod 2020-10-13 06:30:52 UTC
A flaw was found in FasterXML Jackson Databind which did not have entity expansion secured properly making it vulnerable to  XML external entity (XXE). This vulnerability is similar to CVE-2019-10172. The primary threat from this flaw is data integrity.

Comment 1 Kunjan Rathod 2020-10-13 06:31:01 UTC
External References:

https://github.com/FasterXML/jackson-databind/issues/2589

Comment 6 Marian Rehak 2020-10-13 10:44:24 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1887779]

Comment 33 Jonathan Christison 2020-10-19 11:05:16 UTC
Marking Red Hat Jboss Fuse 6 and Red Hat Fuse 7 as having a moderate impact, both versions distribute affected versions of jackson-databind, however its use in both Fuse 6 and Fuse 7 is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 35 Jonathan Christison 2020-10-20 15:44:04 UTC
Marking Red Hat Camel K as having a moderate impact, although Camel K distributes affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

Comment 36 Jonathan Christison 2020-10-20 16:49:17 UTC
Marking Red Hat Jboss AMQ 6 as having a moderate impact, although AMQ 6 distribute affected versions of jackson-databind, its use in both AMQ 6 and as earlier noted, Fuse 6, is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss AMQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 39 errata-xmlrpc 2020-10-22 16:46:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4312 https://access.redhat.com/errata/RHSA-2020:4312

Comment 40 Product Security DevOps Team 2020-10-22 20:21:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25649

Comment 41 errata-xmlrpc 2020-10-28 21:07:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:4402 https://access.redhat.com/errata/RHSA-2020:4402

Comment 42 errata-xmlrpc 2020-10-28 21:10:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:4401 https://access.redhat.com/errata/RHSA-2020:4401

Comment 47 Yadnyawalk Tale 2020-11-06 06:03:15 UTC
Statement:

* Red Hat Enterprise Linux 8 ships a vulnerable version of jackson-databind in the pki-deps:10.6 module. pki-deps:10.6 is for pki-core dependencies, but pki-core does not use the vulnerable DOMDeserializer class and thus has been set to low impact. Future updates may include fixed version of jackson-databind.

* Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind code. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

* Red Hat Virtualization ships a vulnerable version of jackson-databind, however the vulnerable DOMDeserializer class is not used in the code, therefore reducing impact to low.

* Red Hat OpenShift Container Platform (OCP) ships a vulnerable version of jackson-databind, but in the affected containers the DOMDeserializer class is not used. Additionally access to the containers is restricted to authenticated users only (OpenShift OAuth authentication) reducing the severity of this vulnerability to Low.
In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.

* Red Hat Satellite ships affected version of jackson-databind through Candlepin, however, product code does not use DOMDeserializer class and jackson-databind in a vulnerable way. Thus impact has been set to low. A future release may update jackson-databind to a fixed version.

Comment 48 Chess Hazlett 2020-11-09 15:45:26 UTC
Mitigation:

There is currently no known mitigation for this flaw.

Comment 49 errata-xmlrpc 2020-11-09 18:26:36 UTC
This issue has been addressed in the following products:

  Vert.x 3.9.4

Via RHSA-2020:4379 https://access.redhat.com/errata/RHSA-2020:4379

Comment 51 Jonathan Christison 2020-11-16 13:25:42 UTC
Marking Red Hat Integration Service Registry as having a low impact, although service registry uses affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.